Just my two cents… as a fresh pair of eyeballs looking at Virtualmin. I would suggest two things: (my apologies if I missed earlier discussions on the topics)
Wireguard vpn server module option
and
Tripwire module (or alternative) installed out of the box
I would also suggest adding fail2ban config option to the post installation wizard. By default apache sites are enabled upon installation of new system, but a user has to manually go back and activate the fail2ban for apache.
I would also suggest an easy “receive email upon ip ban” option for fail2ban. If fail2ban bans a “friendly” ip, admin may not realize the source of access problems.
you cannot be noob - you know what you are doing by knowing those open source stuff… please ask @staff for solution, they have figured out in paid support, I am sure they will help you out too.
You don’t have to tag us. I read everything, though I don’t always have time to reply, either because it’s too complicated or not clear or I don’t know off-hand. In this case, I could see a WireGuard Webmin module being useful (like we have an OpenVPN module). I don’t know how it’d be a useful addition to Virtualmin, though.
Tripwire feels mostly irrelevant for the future of hosting. I’ve deployed it a few times for clients way back a couple decades ago when I was doing a lot of general Linux/network contract work. But, for web servers I just don’t see it being all that useful. mod_security is in our plans (I mean, nothing is stopping people from using mod_security now, but we plan to add some GUI and installer support for it), and I think it’s a more appropriate tool for the web hosting space. The world we’re all heading toward (whether we like it or not) is going to be more ephemeral (new container for each new version of an app, built from trusted components) and lighter weight with almost nothing running in each given container. Tripwire is for big systems that do a lot. Intranets, old school multi-purpose servers, etc. We still mostly live in that old world, but I have no interest in expending a bunch of resources on tools for that old world; we simply can’t afford to do that, if we want Virtualmin to exist in ten years.
@unborn trust me I’m definitely in the “noob” catergory… I just had fortune / misfortune of using a very garbage control panel for ~7 months when compared to Virtualmin’s out-of-the-box usability. I ended up reading more server documentation than doing actual web development work, which defeated the point of having the control panel. Whereas, with Virtualmin, I have been able to mostly figure things out by simply reading the interface and the occasional, written documentation page. Virtualmin is a godsend.
@Joe , not sure what you mean by “tag” you guys… I just saw the topic of this forum and just thought I’d try to be helpful, with fresh, slightly better than “regular noob” eyeballs and provide some basic feedback from my initial user experience. I didn’t mean to offend or inconvenience in any way. Do feel free to ignore / not reply to this thread I don’t want to take up too much of your time as I am clearly posting with very, very limited knowledge of Virtulamin & Webmin in general. Is there a better way to submit these types of tips, without causing a raucous?
Your point about Tripwire understood.
I may take a stab at AIDE and I am installing modsec today. My greatest concerns as a new user was a MariaDB option which @Ilia already confirms is coming in version 7 and tweaking fail2ban.
Even with whatever “tweaks” I could suggest, Virtualmin is light years more useful & mature tthan anything else in the market, so believe me, I am the latest “evangelist” to join the cheering team.
The GUI for Vmin is excellent… Just a thought… has anyone considered an option to activate/deactivate mouseover/pop-up tooltips over less intuitive aspects of GUI to help new users get up to speed quicker?
There are tooltips where help files exist. There was a time when it covered pretty much every Virtualmin option, but it’s been a few years since anyone was able to spend the time needed to keep it up to date.
Adding a tooltip is super easy. You just have to create a file with the same name as the item label (or input id or name for the field in Authentic Theme). You don’t need to look at the source, you can just use a browser developer tools selector thingy to find out the ID for a field. Once you have the ID you just create a file named $ID.html (obviously replacing $ID with the ID you found in the form).
That said, I’m poking around right now, and it seems like we’ve still got pretty good help coverage. All of the core Virtualmin pages have tooltips for nearly all items. If you’re finding a specifically confusing item that doesn’t have a tooltip, feel free to make a PR to add it, or create an issue at github to request somebody else add it. (And, if it’s confusing, it might be that we need to improve the UI rather than add more docs, or maybe a little of both.)
Webmin is a much larger project and doesn’t have as much hand-holding, but you’ll still find some of the better loved modules have either pretty good online help (top left corner question mark) or tooltips or both. Postfix is a good example with excellent help and tooltip coverage (mail is so confusing for so many people we put a ton of work into making sure people could find help it they were looking).
@joe I’d be happy to donate some tooltip time in ~2 months… but first this first, I need to tame the current beast, harden my sever, and complete my migration from “hell panel”.
mod_security with recent CRS rules provide functionality in a similar vein to mod_evasive. I’ve opted to use those on my deployments, rather than using both tools.
There are probably better docs for using CRS rules, though.
At this time I don’t see any compelling reason to use both, and one could create fail2ban rules to watch for mod_security actions, too, if you wanted to make the layer 7 blocking decisions at layer 4 instead (which could likely provide a small benefit in severe DDoS situations).
Edit: To be clear, I also won’t be working on mod_evasive GUI/installer support in the near future. Nothing stopping anyone else from working on it, though.
Excellent article… I honestly didn’t know that mod_security also protected against DoS attacks. I just wish I read the article before I spent hours hunting down a mod_evasive fail2ban filter… oh well, never hurts to treat internet attacks like questionable ladies and… “double up” the protection…